On March 13, DeFi lending protocol Euler Finance suffered a massive flash loan attack, making it the largest crypto hack of 2023 so far. The incident resulted in the loss of approximately $197 million and impacted over 11 other DeFi protocols. In response, Euler announced on March 14 that they had disabled their vulnerable etoken module and donation function to prevent further deposits.
Furthermore, the Euler Finance team stated to its users that the vulnerability was not detected in the initial audit conducted by various security groups. The team has assured that it will continue to work with security groups to ensure the protocol’s safety going forward.
For eight months, the vulnerability existed on-chain despite a $1 million bug bounty. Unfortunately, it was eventually exploited by an unknown party.
Sherlock, an audit group that had previously worked with Euler Finance, conducted a thorough investigation and identified the root cause of the exploit. After submitting the claim to the audit protocol and receiving approval, they executed a payout of $3.3 million on March 14. In their analysis report, Sherlock highlighted a major factor contributing to the exploit: the lack of a health check in “donateToReserves,” a new function added with EIP-14. They noted that the attack could still have been technically possible without EIP-14.
In July 2022, WatchPug conducted an Euler audit for Sherlock; however, the audit missed a critical vulnerability, eventually resulting in an exploit in March 2023.
Euler has taken steps to investigate and recover the funds that have been stolen, reaching out to leading on-chain analytic and blockchain security firms such as TRM Labs, Chainalysis, and the ETH security community. Additionally, they are attempting to contact those responsible for the attack to learn more about the issue and discuss possibly negotiating a bounty to recover the stolen funds.